Install error

Problem:
Good afternoon. I am performing the installation of foreman 3.4 with self-signed ssl certificates. Before installation, I checked the certificates katello-certs-check - everywhere “ok” , there are no errors. However, when I try to install, I get errors. The installation log is below. P.S. if you refuse to use certificates, there are no errors.

[root@foreman ]#  foreman-installer --scenario katello -l NOTICE \
>                       --certs-server-cert "/root/ca/name.domain.ru.crt" \
>                       --certs-server-key "/root/ca/device.key" \
>                       --certs-server-ca-cert "/root/ca/rootCA.pem"
2022-11-28 14:26:02 [NOTICE] [root] Loading installer configuration. This will take some time.
2022-11-28 14:26:06 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2022-11-28 14:26:06 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
2022-11-28 14:26:15 [NOTICE] [configure] Starting system configuration.
2022-11-28 14:26:31 [NOTICE] [configure] 250 configuration steps out of 1382 steps complete.
2022-11-28 14:26:37 [NOTICE] [configure] 500 configuration steps out of 1384 steps complete.
2022-11-28 14:26:41 [NOTICE] [configure] 750 configuration steps out of 1390 steps complete.
2022-11-28 14:26:42 [NOTICE] [configure] 1000 configuration steps out of 1393 steps complete.
2022-11-28 14:27:12 [NOTICE] [configure] 1250 configuration steps out of 1393 steps complete.
2022-11-28 14:27:21 [ERROR ] [configure] /Stage[main]/Foreman::Register/Foreman_host[foreman-name.domain.ru]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch) in get request to: https://name.domain.ru/api/v2/hosts?search=name%3D%22name.domain.ru%22
2022-11-28 14:27:21 [ERROR ] [configure] Wrapped exception:
2022-11-28 14:27:21 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch)
2022-11-28 14:27:22 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_host[foreman-proxy-name.domain.ru]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch) in get request to: https://name.domain.ru/api/v2/hosts?search=name%3D%22name.domain.ru%22
2022-11-28 14:27:22 [ERROR ] [configure] Wrapped exception:
2022-11-28 14:27:22 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch)
2022-11-28 14:27:22 [ERROR ] [configure] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[name.domain.ru]: Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch) in get request to: https://name.domain.ru/api/v2/smart_proxies?search=name%3D%22name.domain.ru%22
2022-11-28 14:27:22 [ERROR ] [configure] Wrapped exception:
2022-11-28 14:27:22 [ERROR ] [configure] SSL_connect returned=1 errno=0 state=error: certificate verify failed (Hostname mismatch)
2022-11-28 14:27:24 [NOTICE] [configure] System configuration has finished.

Expected outcome:

Successful installation with certificates (it is necessary that https does not swear)
Foreman and Proxy versions:
3.4
Foreman and Proxy plugin versions:
3.4
Distribution and version:

Other relevant data:

Does the cert check succeed? Did you run it? What’s the output?

https://docs.theforeman.org/3.4/Installing_Server/index-katello.html#Deploying_a_Custom_SSL_Certificate_to_Server_foreman

Yes, yes, I did, it says the same in the header. Everywhere the value of the check was “OK”

I’m not entirely sure what might be wrong, but one thing that sticks out to me is that you have foreman-proxy-name.domain.ru and foreman-name.domain.ru. Is your foreman-proxy mentioned here not the primary proxy that is running on the Foreman server itself? If it is, it should have the same domain name. If it isn’t, then I think foreman-installer arguments are missing for proxy’s URL (FQDN).

There are separate steps for setting up a smart proxy with custom certificates. Essentially, you take the output of foreman-proxy-certs-generate and run the installer with them. Installing an External Smart Proxy Server 3.4

At first, I thought so, too, but then I have verified: the puppet resources are really called that way. foreman-proxy-foreman.example.com is the resource for the foreman-proxy on foreman.example.com. So that’s correct.

smart-proxy lives on the same host. Colleagues, could it be that the smart-proxy certificate must be signed by the same certification authority with which I signed the katello certificate? maybe the error occurs because of this?

Well, the error says Hostname mismatch. So you have to check that. As you have disguised the hostname in the logs, it’s difficult to tell, because we don’t know what you have replaced where how exactly.

So, generally guidelines:

1. Verify that there is only a single certificate in /root/ca/name.domain.ru.crt.
2. Check the names in the certificate: openssl x509 -in /root/ca/name.domain.ru.crt -noout -text. Look for the X509v3 Subject Alternative Name section with the DNS names.
3. Check the certificate which the server delivers: openssl s_client -connect name.domain.ru:443. It prints the server certificate in pem. Paste the text into openssl x509 -noout -text and verify that output is identical to the output in step 2.

According to the error message the certificate does not contain the hostname name.domain.ru.

Hi, Thank you all very much. problem solved. Below I will share the cause of the problem and its solution.
during the first installation, I made a mistake with the hostname and indicated it incorrectly, but later I saw this and issued a new certificate with the already correct hostname, but the installations still ended with an error (hostname mismatch). looking at the output of openssl s_client -connect name.domain.ru:443, I was horrified to see that despite the fact that I issued a new certificate, foreman still determines the old one, with the wrong host name. The installation helped from the very beginning. Maybe it will be useful for someone